Manualshelf

Setup Guide

ManualsBrandsDell ManualsConverged InfrastructureSecurity Solution Resources
12345678910
KeySecure Classic (k150v)
8 Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell EMC PowerEdge Servers
Password authentication
It is recommended that you set this setting to “Required (most secure)”. When set to this option, the password
for the user account that represents the iDRAC on the KMS must be provided to iDRAC as explained later in
Set up SEKM on iDRAC
.
Client certificate authentication
It is recommended that you set to “Used for SSL session and username (most secure)”. When set to this
option, the SSL certificates must be set up on iDRAC as explained later in Set up SEKM on iDRAC
.
The Username field in client certificate
It is recommended to set this option to one of the iDRAC supported values:
CN (Common Name)
UID (User ID)
OU (Organizational Unit)
When set to one of these values, the iDRAC username on the KMS must be set up on the iDRAC as
explained later in Set up SEKM on iDRAC
.
Require client certificate to contain source IP
It is recommended that you enable this option only if the iDRAC IP address does not change frequently. If this
option is enabled and the iDRAC IP address changes then the SEKM will stop functioning until the SSL
certificates are set up again. If this option is enabled then ensure the same option is enabled on iDRAC also,
as explained later in Set up SEKM on iDRAC
.
1.3 Set up SEKM on iDRAC
Licensing and firmware update
SEKM is a licensed feature with the iDRAC Enterprise license as a pre-requisite. To avoid an additional
iDRAC firmware update, it is recommended that the SEKM license is installed first and then the iDRAC
firmware updated to a version that supports SEKM. This is because an iDRAC firmware update is always
required after the SEKM license is installed irrespective of whether the existing firmware version supports
SEKM or not. The existing interface methods for installing license and firmware update can be used for
SEKM.
Set up SSL certificate
The SEKM solution mandates two-way authentication between the iDRAC and the KMS. iDRAC
authentication requires generating a CSR on the iDRAC and then getting it signed by a CA on the KMS and
uploading the signed certificate to iDRAC. For KMS authentication, the KMS CA certificate must be uploaded
to iDRAC.
Generate iDRAC CSR
Though most of the CSR properties are standard and self-explanatory, here are a few important guidelines:
If the “Username Field in Client Certificate” option on the KMS is enabled then ensure that the iDRAC
account user name on the KMS is entered in the correct field (CN or OU or KMS User ID) that matches
the value selected in the KMS.
If the Require Client Certificate to Contain Source IP field is enabled on the KMS then enable the
“iDRAC IP Address in CSR” field during the CSR generation.